kadm5.acl rights for foreign principals

Douglas E. Engert deengert at anl.gov
Tue Mar 12 14:44:24 EST 2002 

Nicolas Williams wrote:
> 
> On Tue, Mar 12, 2002 at 02:25:38PM -0500, Ken Hornstein wrote:
> > >Since we have a multi-realm KDC and in real life the same
> > >people will manage those realms, I'd like to give permissions
> > >to the same principal and if possible I wouldn't like
> > >create user/admin at REALM1, user/admin at REALM2. I just want to
> > >insert a entry for user/admin at REALM1 in kadm5.acl file
> > >for each domain.
> >
> > Unfortunately ... because kadmin/admin is set to only allow AS_REQ based
> > requests (which you don't want to change, trust me) and there's no way
> > to do cross-realm without a TGS-based request, then you're stuck.  You can't
> > do what you want.
> 
> If only GSS-API had a concept of "initial" credentials so that acceptors
> could request initial credentials. But that would necessitate a
> gss_acquire_cred() API that could handle user prompting.
> 

Actuall I am glad it does not have this. Makes it to easy for applications
to start asking for passwords. To easy to make a Trojan horse. 
> Sigh.
> 
> > --Ken
> 
> Cheers,
> 
> Nico
> --
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
> 
> Visit our website at http://www.ubswarburg.com
> 
> This message contains confidential information and is intended only
> for the individual named.  If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail.  Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
> 
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses.  The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission.  If
> verification is required please request a hard-copy version.  This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list